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© Method and apparatus for providing enhanced data verification in a computer system. 



© A personal computer system compatible with 
application programs and operating system software. 
The personal computer system includes a micropro- 
cessor (300) electrically coupled to a data bus (322), 
non-volatile memory (308) electrically coupled to the 
data bus, volatile memory (312) electrically respon- 
sive to the data bus and a direct access storage 
device (108,324) electrically responsive to the data 
bus, the direct access storage device storing a sec- 



ond portion of operating system microcode. The 
non-volatile memory stores a first portion of operat- 
ing system microcode and the direct access storage 
device stores a second portion of operating system 
microcode. The second portion of operating system 
microcode includes a boot program. The first portion 
of operating system microcode verifies the integrity 
of the boot program prior to loading the boot pro- 
gram into the volatile memory. 
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This invention relates to personal computer 
systems and, more particularly, to a method and 
apparatus for verifying computer data. 

Personal computer systems in general, and 
IBM personal computers in particular, have attained 
widespread use for providing computer power to 
many segments of today's society. A personal 
computer system can usually be defined as a desk 
top, floor standing, or portable computer that in- 
cludes a system unit having a system processor, a 
display monitor, a keyboard, one or more diskette 
drives, a fixed disk storage, an optional pointing 
device such as a "mouse," and an optional printer. 
These systems are designed primarily to give in- 
dependent computing power to a single user or 
small group of users and are inexpensively priced 
for purchase by individuals or businesses. 

Personal computer systems may be linked to 
form a network of computers (e.g., a Local Area 
Network (LAN)) so that users can exchange in- 
formation, share I/O devices, and utilize a particular 
direct access storage device (DASD) such as a 
particular hardfile or diskette. Typically, the LAN 
includes a client and a server. A server is a com- 
puter system which includes a DASD for supplying 
the storage for one or more clients of the local area 
network. 

With personal computers, software and hard- 
ware compatibility is of great importance. To pro- 
vide software and hardware compatibility, an in- 
sulation layer of system resident code, also re- 
ferred to as microcode, was established between 
the hardware and the software. This code provided 
an operational interface between a user's applica- 
tion program or operating system and the hardware 
device to relieve the user of the concern about the 
characteristics of hardware devices. Eventually, the 
code developed into a basic input/output system 
(BIOS), for allowing new hardware devices to be 
added to the system, while insulating the applica- 
tion program/operating system from tile peculiar- 
ities of the hardware devices. The importance of 
BIOS was immediately evident because it freed a 
device driver from depending on specific hardware 
device characteristics while providing the device 
driver with an intermediate interface to the hard- 
ware device. Because BIOS was an integral part of 
the computer system and controlled the movement 
of data in and out of the system processor, it was 
resident on a system planar board of the system 
unit and was shipped to the user in either a read- 
only memory (ROM) or an erasable programmable 
read-only memory (EPROM). The ROM also con- 
tained a power-on self test (POST) program which 
was used to test and initialize the computer sys- 
tem. Tile accumulation of code resident in the 
computer system ROM became known as the 
"system firmware," or simply "firmware." Thus, the 



firmware included a POST portion and a BIOS 
portion. Sometimes, BIOS was defined to include 
the POST program. 

The POST program tests and initializes the 

5 personal computer system. The completion of 
POST occurs when POST loads a boot program 
(that is, a program for preparing the system for 
operation by loading an operating system) and 
transfers control to the boot program. The boot 

w program is typically loaded from a storage device 
such as a disk. In prior art systems, before POST 
transfers control to the boot program, POST 
checks the boot program. As shown in "Technical 
Reference Personal Computer XT", January 1983, 

is page A-90 Fixed Disk BIOS, program line 482, the 
boot program is checked for a generic boot block 
signature (i.e. descriptive header information that 
specifies whether a file is executable, the boot 
block being tile first block of a file system, where 

20 the boot strap sequence of loading instructions 
resides). The generic boot block signature is shown 
as a word hex value of 0AA55. The "Technical 
Reference Personal Computer XT" is hereby incor- 
porated herein by reference. Additional checks 

25 where added as described in "Technical Reference 
Personal Computer AT", November 15, 1985 up- 
date, page 5-88, program lines 375-387. The addi- 
tional checks in the IBM Personal Computer AT 
POST included insuring that the first value of the 

30 boot program was not "6", and that the first eight 
word location values of the boot program were not 
identical. The "Technical Reference Personal Com- 
puter AT", November 15, 1985 update version is 
hereby included herein by reference. POST at- 

35 tempted to check and verify the boot program 
using the above described techniques as were 
available at the time. 

It is easily seen that the entirety of the boot 
program is not checked. The boot program is an 

40 essential part of the overall startup of a computer 
system and thus requires a more rigorous check 
and verification procedure. 

The present invention provides a personal 
computer system compatible with application pro- 

45 grams and operating system software, the personal 
computer system comprising: a microprocessor 
electrically coupled to a data bus; non-volatile 
memory electrically coupled to the data bus, said 
non-volatile memory storing a first portion of op- 

50 erating system microcode; volatile memory elec- 
trically responsive to the data bus; a direct access 
storage device electrically responsive to the data 
bus, said direct access storage device storing a 
second portion of operating system microcode, 

55 said second portion of operating system microcode 
including a boot program; at least a first verifying 
means for verifying the integrity of said boot pro- 
gram prior to loading said boot program into said 
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volatile memory, said first means for verifying be- 
ing integral with said first portion of operating sys- 
tem microcode. 

An object of the present invention is to provide 
a method and apparatus for enhanced verification 
of computer programs and data loaded by the 
POST program. 

The invention preferably provides a firmware- 
level virus protection through detecting boot record 
changes via signature patterns. 

The invention will be described in more detail 
with reference to the accompanying drawings, in 
which: 

Fig. 1 is a perspective view of a typical personal 
computer system; 

Fig. 2 is a diagrammatic view of a typical com- 
puter network; 

Fig. 3 is a block diagram for the computer 
system of Fig. 1 ; 

Fig. 4 is a diagrammatic view of a typical disk 
layout; 

Fig. 5 is a flow diagram showing enhanced data 
verification according to the present invention 
and 

Fig. 6 is a flow diagram showing enhanced data 
verification according to the present invention. 

Referring to Fig. 1, there is shown a personal 
computer system 100 which employs the present 
invention. The personal computer system 100 in- 
cludes a system unit 102 having a suitable enclo- 
sure or casing 104, output device or monitor 106 
(such as a conventional video display), input de- 
vices such as a keyboard 112, an optional mouse 
114, and an optional output device such as a 
printer 116. Finally, the system unit 102 may in- 
clude one or more mass storage devices such as a 
diskette drive 110 (operable with a diskette - not 
shown) and a hard disk drive (hardfile) 108. 

Referring to Fig. 2, a system unit 200 may be 
connected electronically in a well-known manner 
with other system units 202, 204 to form a network 
206. In the network, system unit 200 functions as 
the server and system units 202, 204 function as 
the clients. System unit 200 may be similar to 
system 100 of Fig. 1. System units 202, 204 may 
be similar to the unit 200, except that units 202, 
204 include no drives 108, 110 and are thus re- 
ferred to as medialess clients. Other conventional 
I/O devices may be connected to the system units 
200, 202, 204 for interaction therewith. 

Referring to Fig. 3, there is shown a block 
schematic diagram of computer system unit 102. 
System unit 102 includes processor 300 which is 
connected to read only memory (ROM) 302 (or 
other nonvolatile storage means such as an elec- 
trically programmable read only memory (EPR- 
OM)) which contains the POST 304 and BIOS 306 
programs. POST is the set of instructions which 



execute when the system is first powered-on to 
initialize the personal computer system 100. BIOS 
is the set of instructions which facilitate the transfer 
of data and control instructions between the pro- 

5 cessor 300 and I/O devices. Processor 300 is also 
connected, via bus 322, to a plurality of sub- 
systems. Many popular and well known computer 
busses are available for interconnecting the sub- 
systems of Fig. 3. Random access memory (RAM) 

w 312 is provided for the storage of programs and 
data. EEPROM 308 is an electrically erasable prog- 
rammable read-only memory. Check code 326, 
password 328, and flags 330 are stored in different 
fields of EEPROM 308. EEPROM 308 is under 

75 control of EEPROM controller 310. Direct access 
storage device (DASD) controller 314 provides the 
interface and connection to disk drive 108. DASD 
controller 314 can also support other devices such 
as CD-ROM drive 324. CD-ROM drive 324 is op- 

20 erable with a CD-ROM (not shown). Diskette con- 
troller 316 provides the interface and connection to 
diskette drive 110. Diskette drive 110 is operable 
with a diskette (not shown). Network controller 318 
provides computer system 100 with an interface 

25 and connection to network 206. Display controller 
320 provides an interface and connection to a 
display device such as computer display 106. Oth- 
er types of visual output devices are available for a 
computer system, display 106 is just one example. 

30 EEPROM controller 310 provides processor 

300 with the ability to read and write EEPROM 308. 
EEPROM controller 310 also allows the EEPROM 
read and/or write functions to be selectively dis- 
abled. Once a read or write function has been 

35 disabled, the computer system must be powered 
off before the function is reenabled. The system 
powers-on with both the read and write function 
enabled. The disable function provides an effective 
means to protect the EEPROM 308 contents. Pref- 

40 erably, read and write disable control is granular 
and can be selectively applied to the fields (check 
code 326, password 328, and flags 330) of EEPR- 
OM 308. EEPROM controller 310 is itself under 
control of processor 300. Processor 300 manages 

45 EEPROM controller 310 through typical in- 
put/output commands. 

Password 328 is a "secret" text string deter- 
mined and entered by the computer system user. 
Typically, a password utility program is run by the 

so user for entering and storing password 328. Check 
code 326 is, preferably, a modification detection 
code (MDC) as described in commonly owned U.S. 
Patent 4,908,861. The MDC is a cryptographic one- 
way function which calculates a 128-bit (16-byte) 

55 value from a given series of bytes without using a 
secret key. If a keyed cryptographic one-way func- 
tion is used, the key used is password 328, padded 
or otherwise expanded as needed to be of a size 
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as required by the cryptographic calculation. Check 
code 326, password 328, and flags 330 are further 
described in conjunction with Figs. 5 and 6. 

POST contains a bootstrap program which at- 
tempts to locate a boot device and load a boot 
program. Typically, the boot device is hardfile 108 
or diskette drive 110. The boot device can also be 
CD-ROM 324 or network 206 which is accessed via 
network controller 318. Diskette drive 110 requires 
a boot or operating system diskette to operate. If 
POST successfully loads a boot program from a 
boot device, then POST transfers control to the 
boot program, completing the operation of the 
POST bootstrap program. In the medialess environ- 
ment, a medialess system unit (e.g., 202) includes 
a suitable network controller 318 for providing a 
Remote Initial Program Load (RIPL) facility within 
the unit 202. The RIPL program permits booting an 
operating system from network server 200 rather 
than from a local storage device such as the fixed 
disk 108 or the diskette 110. RIPL is also referred 
to as simply Remote Program Load or RPL, and 
the terms are used interchangeably. RPL is well 
understood in the art. If a boot record was unable 
to be loaded and an RPL adapter is present, then 
POST transfers control to an RPL program. If no 
RPL program is present, then POST prompts the 
user indicating that a boot source is required. 

Referring to Fig. 4, there is shown a typical 
layout of the data residing on tile personal com- 
puter disk 108. The storage unit for data on a 
personal computer disk 108 is referred to as a 
sector. A sector is a block of 512 data bytes. A 
sector is identified by a relative block address 
(RBA) 408. Each sector has a unique RBA value. 
Typically, the first sector is indicated by an RBA 
value of 0, the second sector by an RBA of value 
1, the third sector an RBA value of 2, and so on. 
Stored on disk 108 is a boot program 400. The 
boot program 400 is a program which is responsi- 
ble for beginning the load of an operating system 
from one of a plurality of partitions 402, 404, 406, 
each partition including a plurality of sectors. The 
boot program 400 includes two components, a pro- 
gram code component and a partition table data 
component. By partitioning the disk, a plurality of 
operating systems may be simultaneously stored 
on a single disk 108. Only one partition is "booted" 
when the computer system is initializing. The boot 
program code component examines the partition 
table data component to determine which partition, 
if any, is designated as an active partition. Typi- 
cally, it is the active partition which contains the 
user's operating system. The active partition is 
designated by a flag within the partition table data 
component of the boot program 400. The boot 
program 400 loads the program contained within 
the disk partition (the disk partition program) and 



transfers control to the disk partition program. If the 
active partition contains an operating system then 
the disk partition program proceeds with loading 
the operating system from the partition. 

5 Referring to Fig. 5, a flow diagram of the op- 

eration of POST as it pertains to enhanced data 
verification is shown. In step 500, POST tests and 
initializes the computer system in a manner which 
is well known. POST reads the boot program 400 

70 from disk 108 into memory, step 502. POST then 
determines if the stored check code 326 value is 
present, step 506. A flag bit can be set in flags 330 
to indicate the presence of the check code 326. If 
check code 326 is not present as determined by 

75 step 504 then processing continues at step 512. If 
the stored check code 326 is present in step 504 
then control passes to step 508. POST reads the 
stored check code 326 value, step 504. In step 
508, POST calculates the boot program 400 check 

20 code. The check code is, for example, the pre- 
viously described MDC. POST compares the pre- 
viously retrieved stored check code 326 value with 
the computed check code value of the boot pro- 
gram 400, step 510. If the comparison of step 510 

25 indicates that the codes match then processing 
continues on to step 512 where control is passed 
to the boot program 400. Preferably, POST dis- 
ables the read and write functions of the EEPROM 
308 through EEPROM controller 310 to fully pro- 

30 tect the EEPROM 308 contents. If the comparison 
of step 510 indicates that the check codes do not 
match then control passes to step 514 where cor- 
rective action is taken. Corrective action can in- 
clude: displaying a message to the user, pausing 

35 further processing and/or "booting" a known dis- 
kette. If the stored and computed check code val- 
ues match, POST assumes there has been no 
change to the boot program 400 and allows the 
system to boot. If the values do not match, then 

40 POST issues a message indicating that the boot 
program 400 has probably been damaged or al- 
tered since the most recent boot program stored 
check code computation. The intent of the mes- 
sage is to imply that there is a possibility that the 

45 boot program 400 has been damaged or otherwise 
modified. Checking the check code of the boot 
program can be an optional feature enabled 
through a control bit, e.g. flag, stored in EEPROM. 
Once the boot program 400 obtains control, 

50 step 512, the boot program 400 itself preferably 
performs additional checks. The boot program 400 
identifies and verifies the disk partition to be load- 
ed, step 516. The result of the disk partition ver- 
ification is checked, step 518, and if the disk parti- 

55 tion verification did not succeed then corrective 
action is taken, step 520. Corrective action can 
include: displaying a message to the user, pausing 
further processing and/or booting the system from 
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a known diskette. A verified disk partition allows the 
boot program 400 to transfer control to the disk 
partition program, step 522. The verification pro- 
cess of step 516 may include a verification pro- 
gram such as the IBM program "Antivirus/2 " 
which is commercially available from IBM Corpora- 
tion. 

Referring to Fig. 6, a flow diagram of configur- 
ing computer system 100 for enhanced data ver- 
ification is shown. The disk layout as described in 
conjunction with Fig. 4 is established, step 600. 
Establishing the disk layout can be done with con- 
ventional programs such as the FDISK program 
provided with the DOS operating system which is 
standard and well known. An enhanced data ver- 
ification configuration program is provided as either 
part of a maintenance package (path A) or as part 
of an operating system package (path B); the en- 
hanced data verification configuration program may 
be provided as part of both packages. The en- 
hanced data verification configuration program is 
loaded when either the maintenance programs are 
loaded, step 602, or the operating system is loaded 
and installed, step 604. It is preferred that both 
maintenance programs and operating system pro- 
grams be manufactured and distributed on read- 
only media, thus insuring the origin and integrity of 
the programs. The enhanced data verification con- 
figuration program is run during step 606. Since 
the user will most likely install an operating system 
at some point, the preferred path is path B with the 
enhanced data verification configuration program 
included with the operating system program pack- 
age. The enhanced data verification configuration 
program computes and stores the check code 326, 
step 608. The check code 326 is computed against 
the boot program 400. The check code 326 is a 
code such as the previously described MDC. At 
this point the enhanced data verification configura- 
tion program can also store a flag value in EEPR- 
OM 308 in flag field 330 to indicate that a check 
code has been computed and stored in tile EEPR- 
OM 308. Additionally, the enhanced data verifica- 
tion configuration program can also store a flag to 
indicate that the boot sequence should be modi- 
fied, For example, it would be advantageous to 
remove the diskette from tile standard set of boot 
devices since a diskette may contain an unverified 
boot program. Omitting the diskette from the boot 
sequence can be overridden by, e.g., entering 
password 328. The enhanced data verification con- 
figuration program then disables the write function 
of EEPROM 308, step 610. The enhanced data 
verification configuration is then complete, step 
612. 



Claims 

1- A personal computer system compatible with 
application programs and operating system 
5 software, the personal computer system com- 

prising: 

a microprocessor electrically coupled to a 
data bus; 

non-volatile memory electrically coupled to 
70 the data bus, said non-volatile memory storing 

a first portion of operating system microcode; 

volatile memory electrically responsive to 
the data bus; 

a direct access storage device electrically 
75 responsive to the data bus, said direct access 

storage device storing a second portion of 
operating system microcode, said second por- 
tion of operating system microcode including a 
boot program; 

20 at least a first verifying means for verifying 

the integrity of said boot program prior to 
loading said boot program into said volatile 
memory, said first means for verifying being 
integral with said first portion of operating sys- 

25 tern microcode. 

2. A personal computer system according to 
claim 1, wherein said first verifying means in- 
cludes means for generating an initial modi- 

30 fication detection code based upon said boot 

program during an initial setup of the computer 
system. 

3. A personal computer system according to 
35 claim 2, wherein said means for generating 

includes a cryptographic one-way function 
which calculates a multi-byte value from a giv- 
en input series of bytes of said boot program. 

40 4. A personal computer system according to 
claim 2 or claim 3, wherein said non-volatile 
memory includes a check code portion, and 

said first verifying means stores said initial 
modification detection code in said check code 

45 portion. 

5. A personal computer system according to 
claim 4, wherein said check code portion of 
said non-volatile memory is disabled to pre- 

50 vent writing to said check code portion after 

said initial modification detection code is 
stored in said check code portion. 

6. A personal computer system according to 
55 claim 4 or claim 5, wherein said first verifying 

means compares a present modification detec- 
tion code upon power-up of the computer sys- 
tem with said initial modification detection 
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code, 

said first verifying means including means 
for taking corrective action if said present 
modification detection code does not corre- 
spond to said initial modification code, 5 

said first verifying means transferring con- 
trol to said boot record if said present modi- 
fication detection code corresponds to said 
initial modification detection code. 

10 

7, A personal computer system according to any 
one of claims 4 to 6, wherein said non-volatile 
memory includes a flag portion, and 

said first verifying means stores in said 
flag portion a flag to indicate the presence of 15 
said modification detection code. 

& A personal computer system according to any 
one of the preceding claims wherein said di- 
rect access storage device stores said second 20 
portion of operating system microcode in a 
first portion of the direct access storage device 
and the operating system software in a second 
portion of the direct access storage device; 

the computer system further comprising a 25 
second verifying means for verifying the integ- 
rity of the operating system software prior to 
loading the operating system software into said 
volatile memory. 

30 

9. A personal computer system according to 
claim 8, wherein said boot program includes 
said second verifying means. 

35 



40 



45 



50 



55 



EP 0 606 771 A2 




EP 0 606 771 A2 




EP 0 606 771 A2 



328 


_• password: 


: CHECK • 
: CODE : — 


308 






: FLAGS : 

J 


EEPROM 



330- 



310 



300 



PROCESSOR 



302 

^— ROM 

306 



312 



304 



BIOS 
POST 



FIG. 3 



EEPROM 
CONTROL 



322 



RANDOM 
ACCESS 
MEMORY 



326 



106^ 
320 



314 



316 



318 



DISPLAY 

zn 



324 



DISPLAY 
CONTROLLER 



DASD 
CONTROLLER 



CR-ROM 
DRIVE 



108- — ! 
110- 



DISK 
DRIVE 



DISKETTE 
CONTROLLER 



DISKETTE 
DRIVE 



NETWORK 
CONTROLLER 



206 



NETWORK 



EP 0 606 771 A2 



400v 
402 



404 



406 



TYPICAL DISK LAYOUT 



BOOT PROGRAM 
PARTITION 1 



PARTITION 2 



PARTITION N 



L 



DISK 

108 



FIRST 



408 



RELATIVE 

BLOCK 
ADDRESS 



LAST 



FIG. 4 



EP 0 606 771 A2 



500 



502 



POST TESTS AND INITIALIZES 
THE COMPUTER SYSTEM 



T 



POST READS THE BOOT 
PROGRAM INTO MEMORY 



504 



T 



516 



518 



522 



T 



VERIFY DISK PARTITION 



T 



DOES THE VERIFY 
PROCEDURE SUCCEED ? 



T 



YES 



TRANSFER CONTROL TO 
DISK PARTITION PROGRAM 



NO 


IS THERE A STORED 




CHECK CODE PRESENT ? 


506 i 


f YES 




POST READS THE STORED 
CHECK CODE VALUE 


508 ^ ^ 




POST COMPUTES THE BOOT 
PROGRAM CHECK CODE 


510 ^ ▼ 




DOES STORED CODE MATCH 
CALCULATED CODE ? 


512 ^ 


r YES 




TRANSFER CONTROL j 


► 


TO BOOT PROGRAM j 



514 



NO 



520 



NO 



TAKE CORRECTIVE 
ACTION 



TAKE CORRECTIVE 
ACTION 



□ 



FIG. 5 



EP 0 606 771 A2 



600 



INITIALIZE DISK LAYOUT 



602 



J 



T 



B 



604 



LOAD MAINTENANCE 
PROGRAMS 



606 



608 



610 



612 



T 



LOAD / INSTALL 
OPERATING SYSTEM 



RUN ENHANCED DATA 
VERIFICATION CONFIGURATION 
PROGRAM 



"A. 



COMPUTE AND STORE 
CHECK CODE 



J 



LOCK EEPROM 



T 



ENHANCED DATA VERIFICATION 
CONFIGURATION COMPLETE 



F/G. 6 



